No, Encryption Will Not Protect Digital Cameras, or Photographers

Techdirt brings us the news that the Freedom of the Press Foundation wants camera makers to build encryption into their products.

Encryption has become one of the key issues in the digital world today, as the many posts here on Techdirt attest. And not just in the tech world, but far beyond, too, as governments grapple with the spread of devices and information that cannot easily be accessed just because they demand it. Techdirt readers probably take crypto for granted, as an increasing proportion of Web connections use HTTPS, mobile phones generally offer encryption options, and hugely-popular mainstream programs like WhatsApp deploy end-to-end encryption. But a recently-published open letter points out that there is one domain where this kind of protectively-scrambled data is almost unknown: photography. The letter, signed by over 150 filmmakers and photojournalists, calls on the camera manufacturers Canon, Fuji, Nikon, Olympus and Sony to build encryption features into their still photo and video camera products as a matter of course. Here's why the signatories feel it's necessary:

Without encryption capabilities, photographs and footage that we take can be examined and searched by the police, military, and border agents in countries where we operate and travel, and the consequences can be dire.

We work in some of the most dangerous parts of the world, often attempting to uncover wrongdoing in the interests of justice. On countless occasions, filmmakers and photojournalists have seen their footage seized by authoritarian governments or criminals all over the world. Because the contents of their cameras are not and cannot be encrypted, there is no way to protect any of the footage once it has been taken. This puts ourselves, our sources, and our work at risk.

As a user of digital cameras; I hope this never comes to pass; it will cause more problems than it solves.

For one thing, encrypting a camera will not protect the data, or the camera's owner. The FPF is mistaken on that point.

Encryption will only restrict access to the data, and only so long as no one is interested enough to hack the DRM. As anyone who has followed encryption news can tell you, there are hundreds if not thousands of hackers who see defeating encryption as a professional challenge.

All it takes is one to break the encryption and share their work with the world, and then there is no restriction on accessing the data.

And the reason I stress accessing the data versus protecting it is because encryption will in no way protect the data.

Encryption only impacts access; it does not protect against physical destruction. One can still take an encrypted camera and simply destroy it with a few swings of a hammer. Or one could destroy the storage media using nothing more than the contents of the average toolbox.

In a way that would simply be a return to the old days when one exposed a camera's film in order to destroy the data. (How young the FPF members must be, to not the similarity?)

Sure, the bad actor would like to see the data before destroying it, but in many situations they just want to make sure that the no one has the data.

And when it comes to destroying data, one need not even physically destroy the object to achieve the goal. One could pull that off by using the encryption against itself, by triggering the security features to wipe the camera.

What if the data is protected by an access code, and the camera is set to wipe the data if the wrong code is entered?

That is how security works on the iPhone works, and if all you want is to make the data disappear then it is a great way to delete the data without damaging the hardware.

But never mind using the security features to defeat itself; there are simpler methods to gain access. Encryption also does not protect against the classic access method, as detailed by xkcd:

Should a bad actor encounter an encrypted camera, they could just beat the access code out of the camera's owner.

So really, encryption provides no more protection that what already exists.

It wouldn't even provide a fig leaf of protection, and comes at the cost of potentially harming users who never wanted or needed encryption.

All it would take is one bug, or an update gone wrong, and suddenly a user - who had never even turned on the encryption - will lose access to their data.

Given that the net benefit of adding encryption to cameras is nil, is it really worth the potential downside?

Nate Hoffelder

Nate Hoffelder is the founder and editor of The Digital Reader. He has been blogging about indie authors since 2010 while learning new tech skills weekly. He fixes author sites, and shares what he learns on The Digital Reader's blog. In his spare time, he fosters dogs for A Forever Home, a local rescue group.

Related Posts

21 Comments

Agreed. The best cure, rather than encryption, is widespread, immediate dissemination of sensitive data. That way if the “tyrannical bad guys” get their hands on something embarrassing they don’t want released, it is already out in the wild and difficult to shut down.

Besides, encryption will inevitably end up being a way for manufacturers to control an “owner”‘s access to their own data in the same way that car and PC and printer and coffee maker and home appliance manufacturers use the DMCA and other nonsense clauses to prevent people from using their own property as they see fit

There use to be an encryption program called Truecrypt which ran on Windows. It would either encrypt your whole disk or create a virtual disk which was encrypted. To solve the problem of someone simple beating you into telling them the key it provided the option for a feature called plausable deniability. It would allow you to create a second encrypt partion inside the first. Due to the random nature of an encrypted space you could not tell the difference between used and unused disk space. So use the first key to encrypt benign information and the second to encrypt the the important information. Ubfortunately the program was discontinued several years ago and it never did support mobile platforms. Still, they could of course simply destroy the device to prevent you from accessing the information.

Some additional information: 1. VeraCrypt is an ongoing project based on TrueCrypt, with improvements and security fixes and continuing to support the plausible-deniability feature. 2. As for mobile platforms, EDS on Android creates and accesses virtual disks compatible with TrueCrypt or VeraCrypt. It requires root to support a full-fledged virtual disk, but even without root it can be used in a file-explorer type mode.

As the previous poster said, there is Truecrypt and its various forks. So it is possible to make a system with “pausible deniability”.

There is NO WAY that the encryption would be enabled by default for ordinary users, so there is no danger of you not getting the access to your own data.

Consider this scenario: Before meeting with a whistle-blower the journalist generates a private encryption key. Using this key he also generates public key that can encrypt the data but not decrypt it – this is how the asymmetric encryption works. He uploads the public key to a camera and leaves private key with somebody else. The photos and videos can be only viewed using private key. He also snaps a few mildly embarrassing private bedroom photos encrypted with a second public key and takes the second private key with him on a hidden media for the security to seize. So after shooting a photo or a video with a whistle-blower even the photographer can’t have a look at photos once they disappear from the screen.

And … mind you … the system would be designed by genuine cryptography experts and not by me 😉

I am surprised that nobody has built such camera yet using this:http://www.banana-pi.org/d1.html or something better. I found this after three minutes of searching.

“Is it possible to pull off the double layer encryption using only the camera’s CPU?” I suspect so. Professional cameras are are already doing a lot of processing to generate the image files from the information coming from the sensor. It might slow down the saving process a bit, but given the size of these camera memory buffer this wouldn’t be a big problem. You could easily take 10 or 20 photos in a row, without being hindered by the save time taking a few extra seconds.

“Also, finding the encryption would incline a bad actor to destroy the storage completely, thus rendering moot the extra level of deception.” In some situations in might be really important to keep photos hidden. Say a journalist goes to a “bad” country and take photos that contain information about the identity of an informant. They might have an understanding that the photos will only be published after the informant has left the country. Having these photos revealed to soon could be dangerous for the informant.

There are also countries like the US. Recently a Canadian journalist had his phone and computer searched when trying to enter the US. Legally they can attempt to search devices, but they can’t compel you to give up a password. The worst they can do is deny entrance. I’m not sure if they are allowed to destroy a device. I suspect they would have to show evidence that it looked like a bomb.

“Also, finding the encryption would incline a bad actor to destroy the storage completely, thus rendering moot the extra level of deception.” A way of dealing with this problem is for a major manufacturer to enable an encrypted partition (using randomly generated passwords or something) on all new cameras. This way having an encrypted partition wouldn’t be be suspicious since every tourist has one. Since it can be set up so you can’t tell if an encrypted partition has been used or not, you could easily claim not to have used it even if you had.

Of course, at this point it would start effecting people who don’t use it. Everyone would have to pay for that space even if they don’t use it.

This just makes no sense. By the same logic, it’s useless to encrypt your phone, right? Anyone who wants access to it will just destroy it, or beat you until you unlock it. So why bother? Actually, I can think of lots of reasons a bad-actor nation state (I don’t exclude the US) or law enforcement (same) would want to see, not destroy, the pictures. And I wouldn’t characterize torture as a “simpler” method of gaining access; also, I can think of lots of scenarios where law enforcement… say, the FBI… wouldn’t feel free to torture a photographer to get the password.

One more thing–well, two: there are lots of different kinds of encryption, and encryption and DRM aren’t synonymous. That’s why you don’t need a password to play a DVD, and that’s why a Norwegian teenager could crack CSS but the NSA is freaked out because ISIS can use WhatsApp.

Finally, no one is going to make you use strong encryption, and if they try, the solution is simple: use a crappy password.

Another use for encryption that hasn’t been mentioned here is for photographers who just don’t want other people selling their photos. Apparently it isn’t unheard of for photos off a lost or stolen camera or SD card to appear for sale online. In this case, torture isn’t a possibility. Destruction of the data is probably just as likely with or without encryption (and the data was likely backed up already).

2) Create apps that give the photographer a choice as to security protocol, according to preference and/or situation. E.g. upload all photos to editor’s cloud a/c and delete from camera, or encrypt photos with a key that only their editor has decryption-access to.

This provides advantages in terms of neither being ‘one size fits all’, nor a ‘single point of failure’ (if all cameras do exactly the same thing, then authorities only need to discover one technique to circumvent it), as well as allowing protocols to adapt to known situations and circumvention techniques.

While I agree that encryption probably is both overkill and counterproductive, one thing that would be good to have is authentication.

It would be fairly simple to sign entire photos, which would ensure that the contents have not been corrupted. What would be trickier is a mechanism whereby certain operations could still be carried out on the photo, and still maintaining the trusted authorship. (Cropping, white-balance correction, some basic corrections should be OK, but blatant patching ought to be detectable.)

This was by far the worst kind of garbage I have ever read… about encryption. Passwords are a real thing and it is very hard to circumvent encryption, unless it’s an old algorithm with known weaknesses. Do you feel like encryption is laughed at everywhere all over the internet and that all of your email accounts can be accessed by anyone any time? It’s not the case. You are just wrong if you think that. When services are “hacked” it usually means that someone guessed the right password or did the inverse problem with hashes. It’s not trivial at all. By saying that encryption doesn’t help you are just making things worse for everyone. Even granting your objections: if a person doesn’t want to get in trouble with authorities, then having the camera smashed is preferable to being accused of a crime. Moreover, whenever you return late from some trip and forget your camera on the train, your data cannot be accessed from the SD card, if it’s encrypted, as you say yourself. That’s great in itself, restricted access is good: it’s better to lose the camera than betray someone’s trust whose picture you took. Do you have pictures of your kids on the camera? Better not let it fall into the wrong hands then! Other sensitive information? Very likely. Political activists and journalists are just the tip of the iceberg here. And.. DRM is different from encryption in terms of area of use, I would not conflate the two. But, let’s say encrypted cameras or SD cards are destroyed on entry to the US: do you really expect that all encrypted cameras will be hammered into oblivion on sight? Reading all of this was just so infuriating. If all of our cameras are encrypted then such a scenario is very unlikely, I’d wager.